[H-GEN] Re: [H-ANNOUNCE] Virus spam warning

Matthew Sellers msellers at bigpond.com
Wed Mar 23 13:38:40 EST 2005


On Mon, 21 Mar 2005 21:56:16 -0500
Jason Parker-Burlingham <jasonp at panix.com> wrote:


> On Tue, Mar 22, 2005 at 09:55:53AM +1000, Tony Bilbrough wrote:
> 
> > I too have been getting them for a wee while
> > BUT.............
> > 1] they all purported to have come from the exec mail list, so I wrote 
> > back to the exec mail list for an explanation.
> 
> The message to -announce might have mentioned this little tidbit.  My
> ISP helpfully deletes stuff like this without my having to bother myself
> with it.  When I notice a new one they're instantly recognizable as a
> scam and I'm frankly amazed that they ever spread at all.
> 
> If the warning had said something more like the following I should have
> been a great deal less annoyed.  (As it was it was all I could do to
> care enough to respond at all; this message is to clear up a few points
> before I leave the matter in more capable hands.)
> 
> 	"Some club members have been receiving messages similar to the
> 	following, apparently from the HUMBUG executive.  These messages are
> 	not from the exective.  It is possible to see that the message is a
> 	fake because...
> 
> 	If we wanted to send you a warning that your system was compromised we
> 	would call you on the phone/send you PGP-signed email/come 'round to
> 	your house with a two-by-four.
> 
> 	The messages can be recognised by the following characteristics...
> 
> 	Refer to blahblah.example.com/virusinfo for more information."
> 
> *That* message is clear, unambiguous, and explains in a number of ways
> how to recognise future fake messages, thereby arming the reader against
> further assaults on their credulity---something that I note Mark took
> pains to do, as he so frequently does.
> 
> > Mark Suter took the trouble to explain how to read the headers. Then it 
> > became obvious that Caliburn was not compromised. Mark's reply is 
> > pasted, just below Jason's laughing vivisection,
> 
> A note:  I was not dissecting Matthew's warning, nor was I responding
> from a sense of sport.  What I referred to when I signed off with a note
> that I dissect VB viruses for fun was the practice of unpacking and
> deobfuscating the code, if it comes in that particular language.  It is
> occasionally instructive.
> 
> > for those that are 
> > interested.
> 
> *If* we're going to be interested in viruses that affect other operating
> systems, then I think more detail is called for:  the name, signature
> and effects of the virus would be a good start.  This is almost exactly
> what I said in my initial response to Matthew's message and I stick by
> it.
> 
> > 2] the virus only shows up when a mailer is opened under a windows 
> > operating system, and lets face it not too many Humbug members use that 
> > one, outside work hours!
> > However from a work place .........
> 
> There is no shortage of resources which can be used to keep abreast of
> developments in Windows email viruses.  I know because I watch a number
> of them closely.  I don't disagree that it's valuable information, just
> that the HUMBUG mailing lists are the wrong forum for it; if a list
> subscriber wants to warn the rest of us about a security problem then it
> should probably be done with more detail.

Thanks for the comments.

I have been receiving these virus messages for a while. I had just been deleting
them as they arrived.

After Tony asked about these messages, it occurred to me that the wording and
headers of this message may be sufficiently convincing to confuse some of those
list members newer to the club.

I sent the warning simply to clarify that messages with that wording were not
what they claimed, and that they should not be opened. I did not address the
nature of the payload because it was a windows virus, and this is quite
obviously not the right forum for that. My intention was to call attention to
the message structure, not any particular virus variant.

Upon rereading my message, I will concede that it should have been clearer.

cheers

-- 
Matthew Sellers




More information about the General mailing list